Lock Box: Where Should You Store Cloud Encryption Keys

Whether driven by regulatory compliance or corporate mandates, sensitive data in the cloud needs protection along with access control. This usually involves encrypting data in transit as well as data at rest in some way, shape or form, and then managing the encryption keys to access the data. The new conundrum for enterprises lies in encryption key management for data in the cloud

When considering a Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS) offerings, protection for data-at-rest typically rests in the hands of the cloud service provider. Digging into the the terms of service or master subscription agreement reveals the security commitments of the SaaS/PaaS provider. For example, Salesforce.com’s Master Subscription Agreement indicates “We shall maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data.” For Infrastructure-as-a-Service (IaaS), the security burden typically falls primarily on the cloud consumer to ensure protection of their data. Encryption is a core requirement for protecting and controlling access to data-at-rest in the cloud, but the issue of who should control the encryption keys poses new questions in this context.

When weighing where to maintain encryption keys, enterprises should consider issues including security of the key management infrastructure (a compromised key can mean compromised data), separation of duties (for example, imposing access controls so administrators can backup files but not view sensitive data), availability (if a key is lost, data is cryptographically shredded), and legal issues (if keys are in the cloud, law enforcement could request and obtain encrypted data along with the keys without the enterprise’s consent).

There are a variety of ways to protect data-at-rest in the public cloud, such as tokenization or data anonymization. The most commonly used approach is to encrypting the data at rest. Whether encrypting a mounted storage volume, a file, or using native database encryption (sometimes referred to as “Transparent Data Encryption”, or TDE), all of these operations involve an encryption key. Where should that encryption key be stored and managed? There are three primary options (with lots of variations of the three).

Keys in Enterprise Datacenter: Holding the keys in the datacenter ensures maximum security and availability. There is no risk of an external party being compromised (as in the RSA SecureID breach) and a high availability/disaster recovery configuration can be implemented to ensure keys are always available. There are various deployment decisions including whether to use a virtual appliance or a hardware appliance depending on risk tolerance levels.

SaaS Key Management: A second alternative is using a SaaS key management solution. This involves having a SaaS vendor take responsibility for the keys. While this approach takes advantage of cloud economics, there are risks. Since the SaaS key management vendor assumes responsibility for availability of the keys – if they experience an outage, the data could become unavailable. If keys are somehow lost or corrupted, you data could be permanently unavailable. The vendor is also responsible for the security of the keys – any compromise of the SaaS infrastructure puts customer data at risk (the RSA SecureID episode again comes to mind). There are also legal issues to consider if you do not hold the encryption keys- a cloud service provider (SaaS or IaaS) could be compelled to turn over encryption keys and data via the USA PATRIOT Act without the data owner being aware (a Forrester Research blog posting by Andrew Rose provides a nice summary of the issue).

IaaS Manages Keys: A third option is to rely on tokenization or encryption services provided by your favorite IaaS vendor. This provides a checkbox that data is encrypted, but creates similar security and availability risks posed by the SaaS alternative (you are relying on the security and availability of your IaaS provider’s key management and effectively making the IaaS provider custodian of both the encryption keys and encrypted data – not an ideal separation of duties). Some IaaS providers offer encryption options that allow customers to choose whether they want to manage the keys themselves or have the vendor assume management responsibility. For example, Amazon’s S3 storage includes encryption options to encrypt volumes of data while enabling you to either manage your own encryption keys or to have Amazon hold the keys.

The cloud may create new key management challenges, but the principles for choosing between the various alternatives remain the same. Enterprises must assess their risk tolerance and audit requirements before they can select a solution that best meets their encryption key management needs.